US-CERT Technical Cyber Security Alert TA05-347A -- Microsoft Internet Explorer Vulnerabilities

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


            Technical Cyber Security Alert TA05-347A

           Microsoft Internet Explorer Vulnerabilities

   Original release date: December 13, 2005
   Last revised: --
   Source: US-CERT

Systems Affected

     * Microsoft Windows
     * Microsoft Internet Explorer

   For more complete information, refer to the Microsoft Security
   Bulletin Summary for December 2005.

Overview

   Microsoft has released updates that address critical vulnerabilities
   in Internet Explorer (IE). A remote, unauthenticated attacker could
   exploit these vulnerabilities to execute arbitrary code or cause a
   denial of service on an affected system.

I. Description

   The Microsoft Security Bulletins for December 2005 address
   vulnerabilities in Microsoft Windows and Internet Explorer. By
   convincing a user to view a specially crafted HTML document, such as a
   web page or an HTML email message or attachment, an attacker could
   execute arbitrary code with the privileges of the user. The attacker
   could also cause IE or the program using the WebBrowser control to
   crash.

   Further information is available in the following US-CERT
   Vulnerability Notes:

   VU#887861 - Microsoft Internet Explorer vulnerable to code execution
   via mismatched DOM objects 

   Microsoft Internet Explorer fails to properly handle requests to
   mismatched DOM objects, which may allow a remote attacker to execute
   arbitrary code on a vulnerable system.
   (CVE-2005-1790)

   VU#959049 - Several COM objects cause memory corruption in Microsoft
   Internet Explorer 

   Microsoft Internet Explorer allows instantiation of COM objects not
   designed for use in the browser, which may allow an attacker to
   execute arbitrary code or crash IE.
   (CVE-2005-2127)

II. Impact

   A remote, unauthenticated attacker exploiting these vulnerabilities
   could execute arbitrary code with the privileges of the user. If the
   user is logged on with administrative privileges, the attacker could
   take complete control of an affected system or cause a denial of
   service.

III. Solution

Apply Updates

   Microsoft has provided the updates for these and other vulnerabilities
   in the December 2005 Security Bulletins and on the Microsoft Update
   site.

Disable ActiveX

   Disable ActiveX in the Internet Zone to further protect against the
   vulnerabilities described in VU#959049 and VU#680526. Instructions for
   disabling ActiveX are available in the CERT/CC Malicious Web Scripts
   FAQ. Note that disabling ActiveX will reduce the functionality of some
   web sites.

   The updates provided by MS05-037, MS05-038, MS05-052, and MS05-054
   block COM objects known to be vulnerable, however there may be more.

Appendix A. References

     * Microsoft Security Bulletin Summary for December 2005 -
       <http://www.microsoft.com/technet/security/bulletin/ms05-dec.mspx>

     * Microsoft Security Bulletin MS05-054 -
       <http://www.microsoft.com/technet/security/bulletin/MS05-054.mspx>

     * Microsoft Security Bulletin MS05-052 -
       <http://www.microsoft.com/technet/security/bulletin/MS05-052.mspx>

     * Microsoft Security Bulletin MS05-038 -
       <http://www.microsoft.com/technet/security/bulletin/MS05-038.mspx>

     * Microsoft Security Bulletin MS05-037 -
       <http://www.microsoft.com/technet/security/bulletin/MS05-037.mspx>

     * US-CERT Vulnerability Note VU#887861 -
       <http://www.kb.cert.org/vuls/id/887861>

     * US-CERT Vulnerability Note VU#959049 -
       <http://www.kb.cert.org/vuls/id/959049>

     * US-CERT Vulnerability Note VU#680526 -
       <http://www.kb.cert.org/vuls/id/680526>

     * CVE-2005-1790 -
       <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1790>

     * CVE-2005-2127 -
       <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2127>

     * CERT/CC Malicious Web Scripts FAQ -
       <http://www.cert.org/tech_tips/malicious_code_FAQ.html#ie56>

     * Improve the safety of your browsing and e-mail activities -
       <http://www.microsoft.com/athome/security/online/browsing_safety.m
       spx>

     * Security Essentials -
       <http://www.microsoft.com/athome/security/protect/default.aspx>

     * Microsoft Update - <https://update.microsoft.com/microsoftupdate>

     _________________________________________________________________


   The most recent version of this document can be found at:

     <http://www.us-cert.gov/cas/techalerts/TA05-347A.html> 

     _________________________________________________________________


   Feedback can be directed to US-CERT Technical Staff. Please send
   email to <cert@xxxxxxxx> with "TA05-347A Feedback VU#887861" in the
   subject.

     _________________________________________________________________

   For instructions on subscribing to or unsubscribing from this
   mailing list, visit <http://www.us-cert.gov/cas/signup.html>. 

     _________________________________________________________________


   Produced 2005 by US-CERT, a government organization.

   Terms of use:

     <http://www.us-cert.gov/legal.html> 

     _________________________________________________________________


   Revision History

   December 13, 2005: Initial release



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iQEVAwUBQ59LY30pj593lg50AQLb7AgAyoitGXFhQ5kbEXQwDyZLsxMnA2NTH3NA
7Xo7HqFr230p0BwzusI48XbEUg/NVN4gEQEqaaI+Rq9hYbLj6mkmgYV0O3ljZ1Xq
zIHakv0GRA71JkC/npDEGeNxIgu3L0jNjnjrBc10Sh3gKTzLamfBpljhLUPkaa8V
SCjYJA3Tq9wJy8vyB+K0ApYYtLvW3LHsQIG3c4nKu/QPfn+uVSSrOFkeQq0JckDY
9P/hrCbfmG7jz8KVAhRl7w90zAZm/uIPUO0LUhBer1WebdUsu+cX/7q4/iDh16Dq
e74OK2S3P1hESn8wo7EYc/VL09aEw8k3EIfuFYO64EuQFu0Dd6Q39g==
=omN4
-----END PGP SIGNATURE-----

[Index of Archives]     [Fedora Announce]     [Linux Crypto]     [Kernel]     [Netfilter]     [Bugtraq]     [USB]     [Fedora Security]

  Powered by Linux